Iranian Hackers Charming Kitten's New Strategy: The POWERSTAR Backdoor


Published on Jun 30, 2023   —   2 min read

Photo by Claudio Schwarz / Unsplash

Unraveling the Advanced Tactics of Cyber Espionage with the Emergence of POWERSTAR


In the vast arena of cyber threats, continuous innovation and strategy adjustment are the norms. One group standing out in this landscape is Charming Kitten, an Iranian threat actor, notorious for their cunning use of an updated PowerShell backdoor, POWERSTAR. Here at The Final Hop, we aim to provide a deep dive into this emerging threat, its nuances, and its wider impact on the realm of cyber espionage.

Charming Kitten and its Mastery of Social Engineering

Charming Kitten, affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), is now tied to a spear-phishing campaign exploiting the POWERSTAR backdoor. The group is renowned for their advanced social engineering techniques, constructing convincing fake personas on social media platforms, engaging in prolonged conversations to build trust with targets before sending a malicious link​.

The Emergence of POWERSTAR Backdoor

POWERSTAR, or CharmPower, is a novel weapon in Charming Kitten's cyber warfare arsenal. Initially documented in attacks capitalizing on the Log4Shell vulnerabilities in publicly accessible Java applications, it has since been deployed in multiple campaigns. The latest attack wave in May 2023 used sophisticated techniques to hinder malware analysis​​.

POWERSTAR's Features and Functionality

POWERSTAR is armed with a variety of features that facilitate remote execution of commands, persistence establishment, system information gathering, and more. Its upgraded cleanup module is designed to erase all malware traces and delete persistence-related registry keys, demonstrating Charming Kitten's ongoing efforts to enhance their methods and evade detection​.

Strengthening the Attack Infrastructure

In a bid to fortify their attack infrastructure, Charming Kitten has created a POWERSTAR variant that fetches a hard-coded command-and-control (C2) server by decoding a file stored on the InterPlanetary Filesystem (IPFS)​​.

Consistency in Tactics and the Broader Implications

Despite the novel features and improvements, Charming Kitten's general phishing playbook and the overarching purpose of POWERSTAR remain unchanged. The group continues to utilize a broader set of tools to carry out malware-enabled espionage, posing a significant threat to cyber security​.


The constantly evolving cyber threat landscape necessitates an equal level of sophistication and adaptability from those tasked with defending against these threats. The emergence and continuous refinement of threats like POWERSTAR highlight the importance of vigilance and proactive measures in cyber defense. Knowledge of these threat actors' tactics, techniques, and procedures is crucial for devising effective security strategies. Stay informed, stay updated, and, above all, stay secure with The Final Hop.

For more deep dives into the world of cybersecurity, continue to follow us here at The Final Hop. Your destination for the latest insights into the evolving digital world.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.